############################### DISCLAIMER #################################
### Das verwenden dieses Templates basiert auf eigener Verantwortung.    ###
### Die ALSO Schweiz AG lehnt jede Haftung ab beim verwenden dieses      ###
### Templates                                                            ###
############################################################################  
# Dieses Template erstellt LocalIn Policy auf ANY Interface und blockt     #
# Request von und zu den IP Adressen welche im folgenden Artikel aufgelis- #
# tet wurden: https://www.fortiguard.com/psirt/FG-IR-22-398                #
# Weiter werden zwei IPv4 Regeln erstellt, welche von und zu diesen IPs    #
# den Traffic blockieren (Regeln zu oberst im Regelwerk einfgen)          #
#                                                                          #
# Wenn neue IP Adressen bekannt werden, knnen diese in die Gruppe         #
# gr_suspectIP-FG-IR-22-389 hinzugfgt werden!                             #
############################################################################
# Version 1.0.1 (13.01.2023)                                               #
# Erstellt von 4Tinu                                                       #
############################################################################

# IP Adressen Objekte erstellen
config firewall address
edit "ext-suspectIP_188.34.130.40"
set comment "FG-IR-22-398"
set color 6
set subnet 188.34.130.40 255.255.255.255
next
edit "ext-suspectIP_103.131.189.143"
set comment "FG-IR-22-398"
set color 6
set subnet 103.131.189.143 255.255.255.255
next
edit "ext-suspectIP_192.36.119.61"
set comment "FG-IR-22-398"
set color 6
set subnet 192.36.119.61 255.255.255.255
next
edit "ext-suspectIP_172.247.168.153"
set comment "FG-IR-22-398"
set color 6
set subnet 172.247.168.153 255.255.255.255
next 
edit "ext-suspectIP_185.174.136.20"
set comment "FG-IR-22-398"
set color 6
set subnet 185.174.136.20 255.255.255.255
next
edit "ext-suspectIP_155.138.224.122"
set comment "FG-IR-22-398"
set color 6
set subnet 155.138.224.122 255.255.255.255
next
edit "ext-suspectIP_139.180.128.142"
set comment "FG-IR-22-398"
set color 6
set subnet 139.180.128.142 255.255.255.255
next
edit "ext-suspectIP_107.148.27.117"
set comment "FG-IR-22-398"
set color 6
set subnet 107.148.27.117 255.255.255.255
next
edit "ext-suspectIP_158.247.221.101"
set comment "FG-IR-22-398"
set color 6
set subnet 158.247.221.101 255.255.255.255
next
edit "ext-suspectIP_66.42.91.32"
set comment "FG-IR-22-398"
set color 6
set subnet 66.42.91.32 255.255.255.255
next
edit "ext-suspectIP_139.180.184.197"
set comment "FG-IR-22-398"
set color 6
set subnet 139.180.184.197 255.255.255.255
next
end

# Adressgruppe erstellen und IP Adressen hinzufuegen
config firewall addrgrp
edit "gr_suspectIP-FG-IR-22-398"
set uuid 2b2627ca-7bc5-51ed-5ad0-97fa90da83c5
set member "ext-suspectIP_103.131.189.143" "ext-suspectIP_172.247.168.153" "ext-suspectIP_188.34.130.40" "ext-suspectIP_192.36.119.61" "ext-suspectIP_185.174.136.20" "ext-suspectIP_155.138.224.122" "ext-suspectIP_139.180.128.142" "ext-suspectIP_107.148.27.117" "ext-suspectIP_139.180.184.197" "ext-suspectIP_66.42.91.32" "ext-suspectIP_158.247.221.101"
set comment "https://www.fortiguard.com/psirt/FG-IR-22-398"
set color 6
next
end

# Konfig LocalIn Policy ANY Services
config firewall local-in-policy
edit 0
set intf "any"
set srcaddr "gr_suspectIP-FG-IR-22-398"
set dstaddr "all"
set service "ALL"
set schedule "always"
set comments "FG-IR-22-398"
next
edit 0
set intf "any"
set srcaddr "all"
set dstaddr "gr_suspectIP-FG-IR-22-398"
set service "ALL"
set schedule "always"
set comments "FG-IR-22-398"
next
end

# Firewall IPv4 Policy erstellen. Zuoberst im Regelwerk einfuegen!
config firewall policy
edit 0
set name "IN__FG-IR-22-398"
set srcintf "any"
set dstintf "any"
set srcaddr "gr_suspectIP-FG-IR-22-398"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set comments "Block Incomming from suspicious IP -- CVE-2022-42475"
next
edit 0
set name "OUT__FG-IR-22-398"
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "gr_suspectIP-FG-IR-22-398"
set schedule "always"
set service "ALL"
set logtraffic all
set comments "Block outgoing to suspicious IP -- CVE-2022-42475"
next
end